UAE PDPL: the federal data protection law, explained
UAE Federal Personal Data Protection Law · United Arab Emirates
The UAE Personal Data Protection Law is the federal data protection regime for the United Arab Emirates. It follows the broad structure of GDPR — a lawful basis for processing, data subject rights, breach notification, and cross-border transfer restrictions — with its own thresholds, its own regulator, and its own exemptions.
Who it applies to
- Organisations established in the UAE that process the personal data of data subjects inside or outside the UAE
- Organisations outside the UAE that process the personal data of data subjects inside the UAE
- Note that the DIFC and ADGM financial free zones operate their own separate data protection laws
What it requires
A lawful basis for processing
Consent is the default basis under the PDPL, with defined exceptions — contract necessity, legal obligation, protection of vital interests, and public interest among them.
Data subject rights
Access, correction, erasure, restriction of processing, objection, and data portability — broadly mirroring GDPR.
Breach notification
Notification to the regulator, and to affected individuals where the breach poses a risk to their privacy, security, or confidentiality.
Cross-border transfer restrictions
Transfers are permitted to jurisdictions with adequate protection, or under appropriate safeguards such as contractual clauses.
A Data Protection Officer where required
Appointment is required where processing is high-risk, involves large-scale sensitive data, or involves systematic evaluation.
Records and accountability
Controllers and processors must maintain records of processing and be able to demonstrate compliance.
Penalties
Administrative penalties are set by Cabinet decision. The practical exposure for most organisations is regulatory action and the commercial consequence of failing a customer's due diligence.
UAE PDPL support is in development
To be straight with you: RegRely runs GDPR today. UAE PDPL is not shipped yet. The underlying workflows — data subject requests, records of processing, consent, risk, and evidence — are the same across regimes, which is what makes the extension tractable rather than a rewrite.
If UAE PDPL is on your critical path, tell us your timeline and we will tell you honestly whether we can meet it.